14 DAY TRIAL // The Apache Software Foundation released Apache Traffic Server 3.0.4 Stable and Apache Traffic Server 3.1.3 Developer to address a heap overflow vulnerability that affected the previous versions of the product.
The security hole was reported to Apache by CERT-FI, being discovered by the Codenomicon CROSS project.
CERT-FI informs that the flaw could be exploited remotely, without any user interaction, by an unauthenticated attacker.
The heap allocation issue has been found in the HTTP protocol handling of the product.
It allows an attacker to cause a denial-of-service (DOS) state or even to execute his own malicious code by sending a specially crafted HTTP request to a server that runs a vulnerable version of Apache Traffic Server.
The vendor recommends that customers immediately apply the updates to ensure the safety and integrity of their servers.
Apache Traffic Server 3.1.3 / 3.0.4 / 2.1.9 / 2.0.1 is available for download here
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.